The Evolution of Global Privacy Law

1
The Evolution of Global Privacy Law

IBM Fall 2006 Security and Privacy Day

• Lisa J. SottoPartner
• Hunton Williams LLP(212) 309-1223lsotto_at_hunton
  .com
• November 13, 2006
• November 13, 2006

2
What is Privacy and Data Security?

• Privacy is the appropriate use of information as
  defined by
• Law
• Consumer expectations
• Security is the protection of information
• Confidentiality (protection against unauthorized
  access to data)
• Data integrity

3
Four Privacy Risks

• Legal compliance
• Reputation
• Investment
• Reticence

4
Data Protection LawsAround the World
5
US Privacy Laws

• Major federal laws are
• GLB Financial institutions
• HIPAA Health care entities
• FCRA/FACTA Consumer reporting agencies
• FTC Disposal Rule
• DPPA DMV records
• CAN-SPAM Commercial e-mail
• COPPA Childrens data
• Do-Not-Call Registry Telemarketing
• FTC Act Section 5 Prohibits unfair or deceptive
  trade practices
• Privacy Act of 1974

6
California

• Disclosures to Direct Marketers Law (SB 27)
• California Online Privacy Protection Act
• Security of Personal Information (AB 1950)
• California Computer Security Breach Act (SB 1386)

7
Information Security

• 2005 was the year of the security breach
• In 2005/2006, 365 information security breaches
  so far
• ChoicePoint - DSW
• Bank of America - CardSystems
• Lexis Nexis - Boston Globe
• Over 97 million potentially affected
• 34 state security breach notification laws
• Numerous federal bills

8
State Security Breach Notification Laws

• Generally, the duty to notify arises when
  unencrypted personal information was (or was
  reasonably believed to have been) acquired or
  accessed by an unauthorized person
• Some states require notification when encrypted
  information has been acquired or accessed along
  with the encryption key
• Personal information is an individuals name,
  combined with
• SSN
• drivers license or state ID card number
• account, credit or debit card number along with
  password or access code
• But state laws differ
• Computerized v. paper data
• Definition of PI
• Notification to state agencies
• CRA notification
• Harm threshold

9
Recent FTC Enforcement Actions

• Most FTC privacy enforcement actions result from
  security breaches
• CardSystems
• ChoicePoint
• DSW
• BJs Wholesale Club
• Petco
• Tower Records
• Barnes Noble.com
• Guess.com, Inc.
• Enforcement trends

10
Emerging State Law Issues

• Social Security Numbers
• A number of states regulate the private sector
• Many others are considering similar legislation
• Child Protection Registry Laws
• Michigan and Utah currently regulate
• Other states pending
• Senders are prohibited from sending adult
  messages to contact points listed on state
  registries
• FTCs view
• Employee Email Monitoring
• Delaware and Connecticut have employee monitoring
  laws in place

11
Emerging State Law Issues (contd.)

• Website Privacy Notices
• California, Nebraska and Pennsylvania
• Radio Frequency Identification (RFID)
• At least 13 states are considering privacy
  legislation regulating the use of RFID
• Anti-Spyware
• 12 states currently have anti-spyware laws
• At least 17 other states are considering
  anti-spyware legislation

12
The EU Directive

• Enacted in 1995, each country has its own
  national data protection law the Directive sets
  the floor
• Requires entities to notify authorities or
  register before processing personal data
• Prohibits transfer of personal data to non-EU
  jurisdictions unless adequate level of
  protection is guaranteed
• U.S. is not adequate
• Data transfer is permitted
• To adequate countries (e.g., Switzerland,
  Canada)
• Within the safe harbor framework (from EU to U.S.
  only)
• Where a contract ensures adequate protection
• With unambiguous consent of data subject
• BCRs

13
Recent EU Issues

• Whistleblower hotlines
• Data Retention Directive
• PNR Data
• SWIFT issue
• New security breach notification proposals

14
PIPEDA

• The Personal Information Protection and
  Electronic Documents Act (effective January 1,
  2004)
• Establishes rules for the management of personal
  information by organizations involved in
  commercial activities
• Applies to the collection, use and disclosure of
  personal information by organizations during
  commercial activities
• Personal information is any information about an
  identifiable individual whether recorded or not
• Requirements
• Identify purposes of data collection
• Obtain consent and limit use to identified
  purposes
• Limit collection to necessary information
• Limit use, disclosure and retention
• Individual access

15
Latin America

• Argentina has an adequate comprehensive law,
  and now an active DPA
• Several nations have draft data protection laws
• Other nations codify privacy in consumer
  protection laws
• Many Latin American nations implement data
  protection concepts through habeas data rights
• Habeas data rights are found in many national
  constitutions

16
Japan

• Personal Information Protection Act
• Enacted in 2003, fully effective April 1, 2005
• Personal information is any information that
  identifies an individual data subject contained
  in a personal information database (online or
  offline)
• Applies to each entity using a personal
  information database
• Third party does not include data processors
  but does include affiliates
• Civil and criminal penalties for violations
• Guidelines have been published by various
  Ministries

17
APEC

• Created an information privacy framework with 9
  privacy principles
• Preventing harm - Integrity
• Notice - Security
• Collection limitation - Access and correction
• Uses of personal information - Accountability
• Choice
• Endorsed by 21 member economies in November 2004
• Consistent with OECD Guidelines

18
New and Expected Global Privacy Regimes

• Russia
• DP law passed July 2006
• Bears strong resemblance to EU Directive
• India
• New data security proposals to amend Indias IT
  Act of 2000
• The proposals result from recent breaches and
  reports of lax security practices
• China
• Law is currently being drafted

19
U.S. Enforcement and Litigation

• FTCs new Division of Privacy and Identity
  Protection
• The FTCs enforcement tools are evolving to meet
  new problems
• CardSystems
• ChoicePoint
• DSW
• BJs Wholesale Club
• Petco
• Tower Records
• Barnes Noble.com
• Guess.com, Inc.
• U.S. privacy litigation trends

20
Privacy Issues Are Often Unexpected

• Information security breaches pose new and
  sometimes acute risks
• FTC enforcement and litigation
• Erosion of customer trust
• Public perception of brand plummets
• Investor concerns and market reaction
• Whistleblower hotlines
• HPs pretexting issues

21
Minimizing the Risk

• Prevention is the primary goal, but proactive
  planning can minimize impact if a privacy event
  occurs
• Concern and focus on data privacy and security
  must come from the top
• Data privacy now often involves the CEO, CFO,
  CPO, CIO and GC
• Re-evaluate security systems and privacy and
  security policies on an ongoing basis
• Integrate the concern for information privacy and
  security as a core value and train often

22
The Global Perspective

• Information security is the global topic du jour
• Expect new U.S. privacy legislation
• New level of professionalism of EU DPAs
• There is significant activity globally to enact
  new data protection laws
• There will be a focus on data protection
  harmonization in coming years

23
Questions?

• Lisa J. SottoPartnerHead, Privacy and
  Information Management PracticeHunton Williams
  LLP(212) 309-1223lsotto_at_hunton.com

233317v2